What do you think could be crazy enough to make a mellow nerd see red? Let me tell you a story. A couple days ago I heard about a case of a really bad web host.
You need to read this, because there's a cautionary tale, and I want you to be aware of what kind of scoundrels you might be dealing with, who are hosting your websites.
You count on your host. Your business depends on them keeping your site online and safe. But what happens when things go wrong?
The host in our story, who I’ll call Dr Evil, Inc, don’t like it when their clients’ sites get hacked. Far enough, I don’t like it when sites get hacked either. It’s nasty. It’s traumatising for site owners. It’s damaging to your business. And it’s expensive to clean up.
But there’s traumatising and there’s traumatising, and Dr Evil, Inc seem to be going for the gold medal.
Their procedure when a client’s site gets hacked is to immediately block access and not let the client get in again. At all. Until the account has been totally deleted. Totally deleted. Including the backups.
That isn’t quite believable, so I’ll repeat it. Totally deleted. Including the backups.
To cover their ass, they make you email them an authorisation for the site to be nuked before they’ll give you access again.
Wiping out an entire account, and all the backups, potentially destroying your business is so far out of proportion I’m not sure I can come up with a comparison. It’d be like someone stealing a chocolate bar and the government believing the appropriate response is to nuke the entire city.
What Would Austin Powers Do?
So what should they do? (aka “how does a good host behave?”)
The first job of a host when something goes wrong is to help you relax. Being panicked doesn’t do a damn thing for your website, and it does hurt you.
Automatically blaming clients and going full on Storm Trooper isn’t helping – it's making a bad situation worse. A hack usually is the client’s fault, but there’s no need to be a dick about it.
Fact is, most people do not have a recent, off-server backup of their site. Odds are you don’t. You know it’s important, you know you should, but it’s got pigeonholed in your brain into the “someday” category… which we all know actually means “never”. Even if you do have a backup, it’s probably on the same hosting account, by nuking it they’re getting rid of your one chance for salvation.
And the worst thing is: it doesn’t fix the problem. Most hacks we see have actually happened days, weeks, months or even in rare cares years before the website is defaced. Restoring from a backup doesn’t fix the problem at all.
The really stupid thing is they’re missing out on great profits for providing a valuable service to their clients.
What they should do is have their own team, or professionals like us or Sucuri, clean up and remove the hack, then secure the site (do all needed updates, check code quality, etc) and charge a monthly maintenance fee.
Or even let clients do it themselves; we’ve worked several times with people who have had their hosting turned off – but not wiped – and the hosts have been happy to turn the account back on so we could work.
Results? Happy, grateful clients and a new revenue stream.
Takeaways (mmm… takeaway)
- Don’t choose a host for your business based on price
- Keep control of your backups – have them run automagically, and automagically moved off the server (e.g. to your Amazon S3 account)
- Ask your host today what their policy is for dealing with hacked sites